The Legal Implications of BYOD

Let’s face it — public-sector employees are likely using their personal mobile devices for government business, even if they're not supposed to. So what should be your first move when considering a formal BYOD program? Call a lawyer.

While it’s easy to allow devices onto a public-sector agency’s network, handling the fallout from lost or stolen smartphones could be a bigger headache than you think. Sure, you may be able to remotely wipe data, but there are privacy issues that may challenge even the clearest BYOD policy.

According to experts, there’s little case law established in the courts regarding BYOD, particularly in the public sector. So while you can draft a policy that permits an agency to access, track and wipe a device, a BYOD program can still expose a government to legal action in an extreme situation.

Attorney Alix Rubin, principal of Alix Rubin Law in New Jersey, said the main difference between the public and private sector is that employees in the private sector have a right to free speech. And while that doesn’t give public-sector workers the right to disclose confidential government information, an agency has to be extremely careful to segregate private and public information on a device.

Although it can be difficult to do, Rubin advised that public-sector employers deploy whatever technology is available to separate information and monitor only government data. Applications exist to partition storage in mobile devices for email, but they aren’t a perfect solution, as items like photos and text messages can be co-mingled.

Tony Busseri, CEO of Route1 Inc., a digital security and identity management provider, said there’s no technology out there today that can guarantee that every bit of governmental data on a device can be stored in one area. That could spell trouble if a device is wiped and personal data gets erased.

“We know whether it be privacy laws or other laws and regulations that surround this subject, it’s a touchy matter,” Busseri said. “I’m not going to go into First Amendment law or things like that, but when government walks into our personal territory, there can be a very dramatic response to it.”

Portage County, Ohio, is considering a BYOD policy for county employees. Like many public-sector agencies around the country, Portage County is looking at how to support BYOD without clear guidance on how to proceed.

Portage County CIO Brian Kelley felt one of two of the biggest issues concerning BYOD policies are public records requests and e-discovery. Kelley explained that even though a device is personal, if it’s being used for government work, it’s subject to e-discovery, which could potentially expose personal data.

Lee Neubecker, president of Forensicon, a computer forensics firm based in Chicago, agreed. He said that if for some reason discovery in a legal process required searching personal devices used for work, keyword searches might turn up unrelated content that is highly personal in nature, bringing privacy rights into question.

Although it varies whether or not data such as text messages are admissible in a court of law, Neubecker added that parties to litigation are typically allowed to look and see what facts are on various documents and electronic devices.

For example, if a person accidentally sends an email from his Gmail account instead of his government email application and it’s on a personal device he is using for work, that email constitutes a government communication. The same could theoretically apply to photos, call logs and other data generated or received by an employee.

If an employee felt that material exposed on his device was personal, he could sue the agency. The uncertainty surrounding a public agency’s liability by having a BYOD program can be frustrating to technologists who want to keep up with the times and keep employees happy.

“As CIOs in government and IT leaders, we’re faced with either quickly permitting BYOD to happen within our organizations, or we’re obstructionists to it happening,” said Kelley.

Kelley also pointed out that device support is still a gray area for BYOD. If an employee’s device gets infected with malware or is lost, and the employee can’t do his or her job because of it, whose responsibility is it to clean or replace the device? Even if the responsibilities are clearly denoted in a BYOD policy, there could be legal challenges given the lack of case law on the topic.

Protect Yourself

So what’s the solution? Unfortunately there’s no be-all, end-all fix to the legal risks associated with BYOD programs.

Busseri recommended government employers look into technology that allows employees to use their own mobile devices to review information, but not allow storage of that government data on the device. If a program is instituted that way, you get away from the legal issues in favor of data security.

“From my perspective, you use a technology that never brings that data onto the device,” Busseri said. “It doesn’t mean you can’t use the device to look at it and manipulate it, but there’s no technical reason that if I want to use a mobile device, the data has to come to it.”

But a carefully worded policy document may help reduce the likelihood of a lawsuit if a disgruntled employee isn’t happy with the way government data is being handled on his or her device. Case law on BYOD issues may be scarce, but policies should be drafted based on what exists on similar issues, such as electronic communication, invasion of privacy and First Amendment law.

Rubin said if segregating data on a device is cost-prohibitive, then agencies should craft a search-access agreement in its BYOD policy that clearly states that the government entity will not intentionally look at personal data. The policy should also include a financial disclaimer that the public-sector entity isn’t purchasing any device or upgrading it, or paying for service, unless they’ve agreed to do that.

She added that agency BYOD policies should require employees to password protect their personal devices that are used for government business and give those passwords to the employer. Although the latter might not be popular with people, Rubin felt it was an important step for governments to protect critical information contained on devices.

“Even a good policy doesn’t prevent you from getting sued, but at least it gives you a good defense,” Rubin said.